Ok, so we have now self signed our own SSL Certificate for the vCenter Server. Let's first look at the steps that we need to take in order to replace the SSL Certificate for the vCenter Server.

The procedure for replacing the SSL Certificates for VMware vCenter Server involves:

Disconnect all ESH hosts that are being managed by the vCenter Server

Stop the vCenter Server services

Create a backup of the existing SSL Certificate files

Replace the Existing SSL Certificate files with the new SSL Certificate files

Reset the VMware vCenter Database Password

Start the VMware vCenter Services

Reconnect all ESX hosts managed by the vCenter Server

Ok, let's begin:

Disconnect all ESX hosts managed by the vCenter Server

In order to replace the SSL Certificates for a vCenter Server, all ESX hosts that are managed by that vCenter Server need to be disconnected from the vCenter Server.

Important: If multiple vCenter Servers are configured as Linked-Mode, it is only necessary to disconnect the ESX hosts that are being managed by the vCenter Server that is currently having its SSL Certificates replaced. There is no need to disconnect ESX hosts that are managed by other vCenter Servers in the Link-Mode configuration. There is also no need to break the Linked-Mode configuration between the vCenter Servers. I have also seen posts on the community forums that suggest that you shut down all VMs running on all ESX hosts managed by the vCenter Server. This statement is not correct. There is no need to evacuate VMs from any ESX hosts.

Open the vSphere client and connect to the vCenter Serrver. Make sure that the "Hosts and Clusters" view is selected. Right click on each ESX host in turn and click "Disconnect".

Stop the vCenter Server Services

Before we can replace the SSL Certificates we need to first stop the vCenter Server Serivices.

Create a new folder called "Backup". Once the folder has been created, move the rui.crt, rui.key, rui.pfx files into the Backup folder.

Copy the new SSL files from the OpenSSL-Win32\Bin folder on the Certificate Authority Server to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\

As the VMware vCenter database password has been encrypted using the original SSL Certificate when vCenter was installed, the vCenter Server Service will not be able to use the new SSL Certificate in order to decrypt the stored password. We therefore need to reset the vCenter database password and encrypt the password using the new SSL Certificate.

Open a new command prompt window and browse to the Program Files directory where VMware vCenter Server is installed. In the example below, vCenter Server is installed on a 64-bit operating system and is therefore installed at “D:\Program Files (x86)\VMware\Infrastructure\VirtualCenter Server\”, however the default installation path for vCenter Server when installed on a 32-bit operating system is “C:\Program Files\VMware\Infrastructure\VirtualCenter Server\”

To reset the password, type: “vpxd.exe –p” and press <Enter>. When prompted to enter a new DB password, enter a new password for the vCenter Database and press <Enter>. Enter the password again to verify the entry and press <Enter>. Confirm that “Reset DB password succeeded” is displayed.

Go back to the Services Management Console and find the following two services:

VMware VirtualCenter Management Webservices

VMware VirtualCenter Server

Right-click on the "VMware VirtualCenter Server" service and click "Start"

Once the VMware VirtualCenter Server service has started, right-click on the VMware VirtualCenter Management Webservices and click "Start".

Once the steps above have been followed, the VMware vCenter Server will be using the new SSL certificates. Please bear in mind that the SSL certificate was signed for a specific host based on the host's FQDN. Therfore in order to avoid being presented with a SSL certificate warning, the FQDN of the vCenter server should now be used when loggin into vCenter with the vSphere client.

I recommend you use a 2GB or 4GB memory stick. Although Openfiler can install in less that 1GB, you still want to leave some free space for logs and swap space. I used the SanDisk Cruzer Micro 4GB as it's a small device (physically) and it's made out of metal and not plastic and should be a little more durable. However, this memory stick also has a plastic sleeve covering the memory stick, which I removed in order to keep the memory stick as cool as possible inside my server. The server I've used is the HP ProLiant ML115 G5. This server has a USB port located on the motherboard which is perfect! As the USB memory stick will be located inside the server, it won't be be dangling on the outside where it can be "removed" by "accident". You know what people are like ;-)

1. Unplug all SATA drives from the server. This is so that Openfiler detects the USB flash memory as /dev/sda and not as “/dev/sde” or something. It just makes things a little neater and simpler later on.

2. Power on the server and boot from the Openfiler 2.3 installation CD.

3. At the Openfiler Boot Menu, type linux expert and press enter. You have to parse the “expert command” or else the Openfiler installer will not display the USB flash memory as available storage to install Openfiler to.

4. When the installer has loaded, follow the screens until you get to decided whether to manually or automatically partition the drives. For normal installations automatic partitioning should be OK, however, as we will have to do some post install work on the kernel and the fact that we are only installing Openfiler on a 2GB or 4GB volume, we'll need more control over partition device numbers (/dev/sda1,2,3, etc) as well as partition sizes. I’ve therefore created my partitions manually as follows:

Device

Mount Point

File System

Size

Primary

/dev/sda1

/boot

ext2

100MB

Yes

/dev/sda2

swap

1024MB

Yes

/dev/sda3

/

ext3

Fill to max

Yes

/dev/sda5

/var/log

ext3

512MB

No

Some notes on partitioning:

/dev/sda4 will automatically be created as an EXTENDED partition when you create the /var/log as a non-primary partition.

The reason for making /var/log a separate partition is because the log files can grow to large sizes. Making the /var/log mount point its own partition, protects the / partition from running out of space by growing log files in /var/log

5. Continue with installing Openfiler. As this is now installing on a USB 2.0 device, this may take a while longer than normal to complete. Mine took a good 50 minutes to install.

6. Once the installation has completed, keep the installation CD in the CD drive and reboot the server, this time booting from the Openfiler CD-ROM again and not from the newly installed Openfiler on the USB stick. If at this point you boot from the USB stick, the Kernel will not load USB storage drivers and won’t therefore be able to mount the root partition. This will result in a kernel panic.

7. When the server boots from the Openfiler CD, you will again be presented with the boot menu. This time, type: linux rescue

8. When asked to start the network system, choose “No”

9. At the rescue menu, choose “Skip”

10. At the prompt, create a new directory called system, and mount the root filesystem (/dev/sda3) to that directory

mkdir –p /mnt/system

mount /dev/sda3 /mnt/system

11. Now, mount the boot partition to /mnt/system/boot

mount /dev/sda1 /mnt/system/boot

12. Change the system root to /mnt/system. This allows you to work from /mnt/system as if it was the root filesystem

chroot /mnt/system

13. Now, extract the initrd image in /tmp

cp /boot/initrd-2.6* /tmp/initrd.gz && gunzip /tmp/initrd.gz

14. Create a new directory where we can extract the initrd files to and work on them

mkdir /tmp/tmp-initrdcd /tmp/tmp-initrd

15. Extract the initrd files to the /tmp/tmp-initrd directory

cpio –i < /tmp/initrd

16. Now we need to edit the init file under /tmp/tmp-initrd/. I like to use vi as my text editor. So, here we go:

vi init

Press to enter Inert Mode

Find the line with insmod /lib/sd_mod.ko

Enter the following lines after it:

insmod /lib/rs_mod.ko

insmod /lib/ehci-hcd.ko

insmod /lib/uhci-hcd.ko

sleep 5

echo “Loading USB Storage Drivers”

insmod /lib/usb-storage.ko

sleep 10

To save the file and quit vi, press “:wq”

17. Now we have configured the init script to load some modules when the kernel boots, however, we now need to copy the actual module files to /lib/